{Filename?} eap-tls certificate in freeradius

Chanthearith HUON chanthearith.huon at telecom-sudparis.eu
Wed Aug 20 12:11:15 CEST 2008


ATTENTION !!!
Au moins une pièce jointe à ce message ne vous a pas été transmise
(server.cnf, client.cnf, ca.cnf).
SVP lire la pièce jointe «AlerteVirus.txt» pour plus d'informations.
---
Warning: This message has had one or more attachments removed
Warning: (server.cnf, client.cnf, ca.cnf).
Warning: Please read the "INT-Attachment-Warning.txt" attachment(s) for more information.

Hello everyone,

I am currently experimenting eap-tls for delay comparison. I am using 
wpa_supplicant radius's client and freeradius server. I am now having 
problem dealing with certificates.

I used the script provided in the freeradius package to create those 
certificates successfully however, during the authentication the 
freeradius just denied the certificate and send "eap failure, code 
Failure (4)" (showed from Wireshark) to client.

I am using fedora 8 (kernel 2.6.23.9-85.fc8) to host both freeradius and 
wpa_supplicant.
Freeradius 1.1.6 (for host i686-pc-linux-gnu, built on Jun 1 2007)
wpa_supplicant v0.5.7 (also tried with v0.5.8 but still same problem     )

I am not sure if the configurations for creating certificates are correct.
Here is the configuration scripts to create  CA, server and client 
certifcates (also attached in the mail):

-------------------------- CA ------------------------------
[ ca ]
default_ca        = CA_default

[ CA_default ]
dir            = ./
certs            = $dir
crl_dir            = $dir/crl
database        = $dir/index.txt
new_certs_dir        = $dir
certificate        = $dir/ca.pem
serial            = $dir/serial
crl            = $dir/crl.pem
private_key        = $dir/ca.key
RANDFILE        = $dir/.rand
name_opt        = ca_default
cert_opt        = ca_default
default_days        = 365
default_crl_days    = 30
default_md        = md5
preserve        = no
policy            = policy_match

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ req ]
prompt            = no
distinguished_name    = certificate_authority
default_bits        = 2048
input_password        = whatever
output_password        = whatever
x509_extensions        = v3_ca

[certificate_authority]
countryName        = FR
stateOrProvinceName    = Evry
localityName        = Evry
organizationName    = Example Inc.
emailAddress        = admin at example.com
commonName        = "Example Certificate Authority"

[v3_ca]
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid:always,issuer:always
basicConstraints    = CA:true
-------------------------- end of CA ------------------------------



-------------------------- Server ------------------------------
[ ca ]
default_ca        = CA_default

[ CA_default ]
dir            = ./
certs            = $dir
crl_dir            = $dir/crl
database        = $dir/index.txt
new_certs_dir        = $dir
certificate        = $dir/server.pem
serial            = $dir/serial
crl            = $dir/crl.pem
private_key        = $dir/server.key
RANDFILE        = $dir/.rand
name_opt        = ca_default
cert_opt        = ca_default
default_days        = 365
default_crl_days    = 30
default_md        = md5
preserve        = no
policy            = policy_match

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ req ]
prompt            = no
distinguished_name    = server
default_bits        = 2048
input_password        = whatever
output_password        = whatever

[server]
countryName        = FR
stateOrProvinceName    = Evry
localityName        = Evry
organizationName    = Example Inc.
emailAddress        = admin at example.com
commonName        = "Example Server Certificate"

-------------------------- end of Server ------------------------------



-------------------------- client ------------------------------
[ ca ]
default_ca        = CA_default

[ CA_default ]
dir            = ./
certs            = $dir
crl_dir            = $dir/crl
database        = $dir/index.txt
new_certs_dir        = $dir
certificate        = $dir/server.pem
serial            = $dir/serial
crl            = $dir/crl.pem
private_key        = $dir/server.key
RANDFILE        = $dir/.rand
name_opt        = ca_default
cert_opt        = ca_default
default_days        = 365
default_crl_days    = 30
default_md        = md5
preserve        = no
policy            = policy_match

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ req ]
prompt            = no
distinguished_name    = client
default_bits        = 2048
input_password        = whatever
output_password        = whatever

[client]
countryName        = FR
stateOrProvinceName    = Evry
localityName        = Evry
organizationName    = Example Inc.
emailAddress        = user at example.com
commonName        = root at localhost
-------------------------- end of client ------------------------------

Best regards,
Thierry
-------------- next part --------------
Avertissement de la passerelle antivirus MailScanner
----------------------------------------------------

Les règles de sécurité de notre entreprise interdisent la
transmission de la pièce jointe «ca.cnf».

Celle-ci a été remplacée par cet avertissement.

La pièce jointe a été conservée sur la passerelle.  Elle peut donc
vous être rendue sur demande.  Faites suivre ce message Ãpostmaster pour la récupérer.

Résultats de l'antivirus:
   MailScanner: Possible SpeedDial attack (ca.cnf)


Contactez postmaster pour plus d'informations.

Information de repérage: the INT () MailScanner:/var/spool/MailScanner/quarantine/20080820/1F4193EF20F.67646

--
MailScanner SMTP2
TELECOM & Management SudParis
http://www.it-sudparis.eu

---

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "ca.cnf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

If you wish to receive a copy of the original attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Wed Aug 20 12:11:16 2008 the virus scanner said:
   MailScanner: Possible SpeedDial attack (ca.cnf)

Note to Help Desk: Look on the INT () MailScanner in /var/spool/MailScanner/quarantine/20080820 (message 1F4193EF20F.67646).
-- 
Postmaster SMTP2
TELECOM & Management SudParis
http://www.it-sudparis.eu

-------------- next part --------------
Avertissement de la passerelle antivirus MailScanner
----------------------------------------------------

Les règles de sécurité de notre entreprise interdisent la
transmission de la pièce jointe «client.cnf».

Celle-ci a été remplacée par cet avertissement.

La pièce jointe a été conservée sur la passerelle.  Elle peut donc
vous être rendue sur demande.  Faites suivre ce message Ãpostmaster pour la récupérer.

Résultats de l'antivirus:
   MailScanner: Possible SpeedDial attack (client.cnf)


Contactez postmaster pour plus d'informations.

Information de repérage: the INT () MailScanner:/var/spool/MailScanner/quarantine/20080820/1F4193EF20F.67646

--
MailScanner SMTP2
TELECOM & Management SudParis
http://www.it-sudparis.eu

---

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "client.cnf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

If you wish to receive a copy of the original attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Wed Aug 20 12:11:16 2008 the virus scanner said:
   MailScanner: Possible SpeedDial attack (client.cnf)

Note to Help Desk: Look on the INT () MailScanner in /var/spool/MailScanner/quarantine/20080820 (message 1F4193EF20F.67646).
-- 
Postmaster SMTP2
TELECOM & Management SudParis
http://www.it-sudparis.eu

-------------- next part --------------
Avertissement de la passerelle antivirus MailScanner
----------------------------------------------------

Les règles de sécurité de notre entreprise interdisent la
transmission de la pièce jointe «server.cnf».

Celle-ci a été remplacée par cet avertissement.

La pièce jointe a été conservée sur la passerelle.  Elle peut donc
vous être rendue sur demande.  Faites suivre ce message Ãpostmaster pour la récupérer.

Résultats de l'antivirus:
   MailScanner: Possible SpeedDial attack (server.cnf)


Contactez postmaster pour plus d'informations.

Information de repérage: the INT () MailScanner:/var/spool/MailScanner/quarantine/20080820/1F4193EF20F.67646

--
MailScanner SMTP2
TELECOM & Management SudParis
http://www.it-sudparis.eu

---

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "server.cnf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

If you wish to receive a copy of the original attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Wed Aug 20 12:11:16 2008 the virus scanner said:
   MailScanner: Possible SpeedDial attack (server.cnf)

Note to Help Desk: Look on the INT () MailScanner in /var/spool/MailScanner/quarantine/20080820 (message 1F4193EF20F.67646).
-- 
Postmaster SMTP2
TELECOM & Management SudParis
http://www.it-sudparis.eu



More information about the Freeradius-Devel mailing list